How to protect yourself from sim-swapping attacks

How to protect yourself from sim-swapping attacks

According to a recent report, Joel Ortiz, the 20-year-old student from Boston who was indicted by prosecutors in Santa Clara, California, has been sentenced to 10 years in prison in what is believed to be the very first SIM swapping conviction in the United States.

Ortiz was charged last year on 28 counts involving various computer-related violations and crimes concerning information law. Ortiz took control of the identities of over 20 people, stealing a total of $5 million in cryptocurrencies with his SIM swapping technique. He pleaded guilty and accepted the plea deal of 10 years jail time.

How SIM Swapping Works

SIM swapping is a technique that involves a criminal contacting the service provider of a target victim. The hacker will then use personal information acquired about a potential target to persuade the service provider to effect a phone number transfer from the current SIM card to one owned by the hacker. As soon as the swap has been executed, the hacker can request sensitive information including verification codes, one-time passwords and two-factor authentication entries, which are usually sent to a user’s mobile phone as part of a successful porting process. SIM swappers are known to target high-security online domains such as social media accounts, email addresses, bank accounts and cryptocurrency wallets.

Other High Profile SIM Swapping Cases

Various SIM swapping cases have been reported lately, including Dawson Bakies, a tech-savvy criminal who used the same technique to make off with thousands of dollars in cryptocurrencies from over 50 victims across the U.S.

Per a press release from the Manhattan District Attorney's office, Bakies has been charged by a grand jury in the state of New York, and he currently faces a 52-count charge, including computer tampering, grand larceny, and identity theft. Bakies pleaded not guilty to the charges leveled against him, and he was subsequently released on a $100,000 bail.

Last year, American crypto investor and businessman Michael Terpin sued AT&T for $233.8 million over fraud and gross negligence on the part of the service provider which resulted in a SIM swapping operation that cost him millions of dollars in digital assets.

Three million tokens were stolen from Terpin’s crypto account, with a total worth of $23 million, at the time. He is also seeking an additional $200 million in punitive damages.

Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.

Risk reporting is a method of identifying risks tied to or potentially impacting an organization’s business processes.

The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory .

In cryptography, an encryption key is a variable value that is applied using an algorithm to a string or block of unencrypted .

In computing, a payload is the carrying capacity of a packet or other transmission data unit.

Script kiddie is a derogative term that computer hackers coined to refer to immature, but often just as dangerous, exploiters of .

Protected health information (PHI), also referred to as personal health information, is the demographic information, medical .

Digital health, or digital healthcare, is a broad, multidisciplinary concept that includes concepts from an intersection between .

HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that provides data privacy and security .

Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

Fault-tolerant technology is a capability of a computer system, electronic system or network to deliver uninterrupted service, .

Synchronous replication is the process of copying data over a storage area network, local area network or wide area network so .

Cloud NAS (network attached storage) is remote storage that is accessed over the internet as if it is local.

A terabyte (TB) is a unit of digital data that is equal to about 1 trillion bytes.

Direct-attached storage (DAS) is a type of storage that is attached directly to a computer without going through a network.

To revist this article, visit My Profile, then View saved stories.

How to protect yourself from sim-swapping attacks

To revist this article, visit My Profile, then View saved stories.

A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all have roots in an old problem that has lately found new urgency: SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life.

At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.

'In most of the cases that we’ve seen, a sufficiently determined attacker can just take over someone’s online footprint.'

Allison Nixon, Flashpoint

SIM attacks appear to be behind a recent string of Instagram takeovers, as well as the very unfortunate, not great time a hacker posted Justin Bieber nudes from Selena Gomez’s account last year. But they can impact other corners of your life as well. A cryptocurrency investor this week claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he’s suing his carrier, AT&T, for 10 times that amount. And Motherboard recently documented a number of incidents in which SIM hijackers drained thousands of dollars out of people’s checking accounts.

A sobering caveat: If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them, says Allison Nixon, threat research at security firm Flashpoint. “In most of the cases that we’ve seen, a sufficiently determined attacker can take over someone’s online footprint,” she says.

That’s because ultimately, the machinations behind SIM swaps are largely out of your control. Perfect security hygiene won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. “Phone numbers were never intended to be a way to confirm someone’s identity,” says Nixon. “Phone companies were never in the business to sell identity documents. It was imposed on them.”

The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does.

Every major US carrier offers you the option of putting a PIN or a passcode on your account. Take them up on it. Having one adds another layer of protection, another piece of information an attacker needs before they can compromise your identity. That won’t help against an insider threat, but it’s much better than nothing.

On AT&T, you can set up a “wireless passcode” that’s four to eight digits long by going to your profile, then Sign-in info, then Get a new passcode. You should also add what the carrier calls “extra security,” which just means it’ll require the passcode to manage your account online or in a retail store. You can find that by going again to Sign-in info, then Wireless passcode, and checking Manage extra security.

Verizon actually requires a PIN, but to set yours up or change it, head to this site, then sign into your account. Enter the PIN of your choice twice, click Submit, and you’re done.

For T-Mobile, you have to call instead; dial 611 from your mobile phone and ask to add “Port Validation” to your account, which lets you choose a six to 15 digit PIN. On Sprint, sign into your account, click on My Sprint, then go to Profile and security. Scroll to Security information, and update your PIN there.

Yes, remembering another PIN is a pain, especially when you’ll likely only need it every couple of years. But it’s worth the effort. “Most people have that turned off because if they can’t remember their PIN they can’t go into the local Verizon store and get a new phone,” says Chet Wisniewski, principle research scientist at security firm Sophos. “If you can turn a PIN on with your mobile carrier to prevent your number from being manipulated, you should. Go ahead and write it down. No one’s going to break into your house and steal your notepad from underneath your underwear in your secret drawer in your bedroom.”

We’ve talked about this recently, but it bears repeating. Getting your two-factor authentication codes over SMS is better than nothing, but it won’t help at all if a SIM swap hits. What will work? Using an authentication app instead.

Apps like Google Authenticator and Authy give you that extra layer of security like SMS-based two-factor does, but they also tie it to your physical device rather than the number the phone company assigned to you. They show you a six-digit code that updates every 30 seconds or so, and stays in constant sync with whatever service you connect them to.

'The challenge we have is these app developers need a universal identifier, and they’ve just decided that the phone numbers as good as anything.'

Chet Wisniewski, Sophos

Want to step your two-factor up even further? Opt instead for a physical authentication method, like a Yubikey. These little fobs fit on your keychain, and plug into your computer’s USB port to help verify your identity. “If you’ve enabled a phsyical token, plus your password, and you turn off SMS, then someone literally is going to have to steal your keys. That raises the stakes to a whole other level,” says Wisniewski.

Not all services allow for tougher two-factor. (Instagram’s the most notable example, although the social network says it’s working on expanding the options it offers.) But switch it on where you can to give yourself the best shot at staying safe.

If a hacker has a phone number that’s associated with some of your online accounts, they can sometimes circumvent two-factor requirements altogether—which gets back to the problem of using phone numbers as identifiers in the first place. Disentangling yourself from those seven digits is hard to do at scale, but it’s worth at least trying on especially sensitive accounts, or if you might be a high-value target.

“If there’s one particular thing that you have that you know a thief would go after, like your bank account or your bitcoin holdings or your user name on social media, obviously keep that account separate from the rest of your online identity,” says Nixon. “If you’re extra paranoid, you can have a separate phone number, and keep that phone number secret. I know that’s kind of over the top, but some people who try to protect themselves from this attack vector do try things like that.”

SIM-swapping and port-out frauds can have disastrous consequences, but learning to spot the signs and taking preventive steps can help.

The US Federal Communications Commission (FCC) recently proposed a bunch of new rules to combat the SIM-swapping and port-out menace, reigniting the debate around two well-known smartphone frauds that have caused millions of dollars in damage and ruined many lives. SIM swapping happens when a bad actor convinces a carrier to transfer the cellular service from a victim’s phone to a phone that the fraudster has in their possession. Port-out fraud, on the other hand, happens when a fraudster poses as a victim and gets the cellular service ported from the original carrier to a new carrier of their choice.

In an age where a ton of services are linked to mobile numbers, the potential for account takeover, data theft, and extortion are enormously high. These incidents are not limited to just one region of the globe either. In the past, fraudsters have used a SIM-swap hack to dupe thousands of users by asking them for a sham carrier fee. Cryptocurrency investors have also been the victim of such ransomware attacks via extortion after their data was stolen. On multiple occasions, law enforcement authorities have busted rings involved in hijacking phones of celebrities with millions of dollars at stake. With poor levels of identity verification requirements in a lot of these cases, users are left vulnerable.

Currently, it is mostly left up to the user to take the necessary steps to avoid being targeted by SIM-swapping and port-out frauds. Before that’s possible, however, users need to be able to read the signs of when such an attack is in the process, and the FCC has previously provided some guidance on this. For example, if users suddenly aren’t able to send texts or make calls, they should immediately reach out to their service provider to look into the issue. Another red flag is when users receive alerts that their SIM has been activated or is being used on another device. Likewise, if login credentials for services, like a bank account (assuming it has been linked to a mobile number), suddenly start failing, that’s a major tell-tale sign that something might be wrong.

Small Steps Help Prevent Scams

One of the most important steps that users can take is to avoid sharing their number on social media platforms and other discussion forums as malicious parties often lurk in these places looking to scoop up such personal information. Another step is implementing a robust password protection system for logging into a cellular service account. If possible, always enable two-factor authentication for an extra level of security. Some services now accept biometrics such as fingerprints for authentication in place of a PIN or text-based verification. If that is an option, it is worth using biometric verification.

Another crucial step is verifying emails, texts, or calls that ask for account details. Carriers and telecom service providers usually don’t ask for personal information and account details, which may include anything from identification information and payment details to linked emails, passwords, or codes sent via SMS. Users should always verify the details with their service provider before responding to such requests. For those worried about the security aspect, a great solution is using a service like Google Authenticator. Using multi-factor authentication, or even a physical security key, can be one of the most reliable methods to avoid SIM-swapping and port-out fraud.

Two-factor authentication is rapidly becoming a “must-do” in this era of rampant cyber threats. I’ve discussed and encouraged two-factor authentication here and in Learning Tree’s cyber security introduction course. But it must be done correctly.

Two-step and two-factor authentication

Some organizations use hardware tokens that display numbers that change every thirty seconds or so. Apps such as Google Authenticator perform a similar function. (The main difference is that the numbers on the token are entered as part of a password – e.g. mypassword409678 – while the value on the Google Authenticator is entered separately. Thus, the former is called two-factor authentication, while the latter is called two-step authentication.)

Many web sites use a technique where a code is sent to a user’s mobile device via SMS, the “Short Message Service” generally used for text messages. There is a potential issue with that, though: the wrong people could receive the message.

SIM-swapping

SMS messages are sent to users’ phone numbers. It is assumed that only the authorized user has access to the phone corresponding to the numbers. Attackers have found ways to move the numbers to other phones. The number is associated with the phone via the SIM (subscriber identification module) card, a tiny electronic device embedded in plastic or cardboard.

How to protect yourself from sim-swapping attacks

There are two predominant ways attackers move a number to a device they control and both rely on social engineering. The first way is to contact the victim’s mobile service provider, pretend to be the victim, and get the number re-assigned. The second way is for the attacker to pretend to be an employee of the service provider and gain access to the provider’s subscriber management database.

Attackers have used these techniques to steal cash and bitcoin. One theft was alleged to be in the tens of millions of dollars. But many are smaller and the victims are not just individuals; the attackers may want access to corporate or government systems. The problem has become significant and US Senators and Members of Congress have sent a letter to the FCC asking it to take action.

My concern is that web sites and others use messages sent by SMS to validate password changes. If an attacker has access to the SMS messages of a victim, not only can the attacker receive access codes, but can also reset account passwords.

What can be done to protect your account

If SMS can be used as an authentication step, mobile service providers must take two important steps. The first is to train their employees about the dangers of social engineering attacks. Specifically, they must be taught to accurately authenticate number change requests. Secondly, there needs to be mechanisms deployed that prevent a single employee from making a change without actual confirmation from the subscriber.

Some providers – e.g. T-Mobile – allow users to enable a process where number changes can only be made when the user appears in person with proper identification. At least at T-Mobile, the process is voluntary and may have some issues. Many providers have a feature where a PIN number is required for a change.

The best solution is to use a different second step such as Google Authenticator, but with ubiquitous SMS capabilities on mobile devices, sending a number via a text message is attractive to website designers. If using another option is impossible or unavailable, enabling all possible account protections is essential.

How to protect yourself from sim-swapping attacksDreamstime

To understand why this is bad, you need to know how SIM-swapping works. Here are the details:

SIM-swapping is an elaborate scam. The first thing the criminal needs to do is get some basic information about the victim. This can be done through social engineering and phishing scams where crooks gather as much information as they can.

They browse social media posts, use search engines or engage potential victims in online chats in hopes of getting details that can be used for security questions. Like your mother’s maiden name, names of pets, etc.

Criminals can also get this type of information by using keylogging or spying malware. They can also purchase personal information databases from the Dark Web. Tap or click here to learn how to protect your online identity from the Dark Web.

Once scammers have the information they need, they contact the victim’s mobile phone carrier. They claim to be the victim and that their phone has been lost or stolen, so they need to activate a new phone with a fresh SIM card.

If they successfully pass the identity checks by answering security questions, the old SIM card is deactivated and the one the criminal has is activated. All of the calls and texts are now sent to the fraudster’s phone.

If this happens to you, your phone will stop working and you will most likely get a “No Service” warning. This is the first sign that you’re being scammed. And it’s not just a lack of phone service you need to worry about — the thief can now try to access your bank and other online accounts.

They do this by using the personal data they’ve already gathered, but this time they can incorporate your phone number to receive two-factor authentication (2FA) codes. If successful, they can change your profile settings and set it up to make deposits into their own account.

Now the crook can start draining your bank account. If you have 2FA set up, your bank will ask them for confirmation of who they are by requiring an authentication code sent to your phone number, which is under the criminal’s control. Game over — your bank account is now wiped out.

To make matters worse, now you have to deal with your phone company and bank to prove who you are, which can be a major headache. It’s best to take preventative steps before falling victim to one of these scams.

How to protect your phone from SIM-swap attacks

Since SIM-swap scams are becoming more prevalent, you need to know how to protect yourself. Here are some suggestions:

Use a 2FA app

As we told you earlier, SIM-swapping scams are designed to circumvent 2FA — but only if the 2FA you’re using relies on text messages sent to your phone.

Instead of using text messages for your 2FA codes, try using an authenticator app like Google Authenticator. It’s far more secure than text messages, since the codes can’t be intercepted at the carrier level.

The Google Authenticator app is available for both Apple and Android devices.

Never overshare online

For SIM-swapping scams to be successful, the criminal needs personal information. One way the get it is from social media sites like Facebook. That’s why you should never include things like your address and phone number when creating your profile.

Also, don’t give any sensitive information away if you happen to be chatting with strangers online. It might seem like you’re having a harmless conversation when they ask you the name of your childhood pet, but they can use that information against you when it comes to online account security questions.

To be safe, you should remove your personal data and opt out of broker sites. Tap or click here to learn how.

Create a PIN for your mobile account

How to protect yourself from sim-swapping attacksDreamstime

Some mobile carriers require a PIN code to make any changes to your account by default. Even if it’s not this way with your carrier, you should set one up.

Call your carrier and explain you want to set up a PIN they have to ask for before any changes can be made to your account — including switching SIM cards. This way, a criminal won’t be able to take over your account just by knowing the name of the first dog you ever had.

How to protect yourself from sim-swapping attacks

SIM swapping is one of several names for a type of scam or fraud that involves an attacker moving a victim’s cellular phone number to a SIM card they control.

Also called port-out scams, SIM swap scams or simjacking, these scams typically target online accounts that use two-factor authentication (2FA) methods that rely on phone numbers. Targets can be wide-ranging, including everything from online banking to social media accounts with coveted handles. Effectively, any online account that uses phone-based 2FA to authenticate users could be vulnerable.

SIM swapping happens frequently — in the last few years, there have been several examples of SIM swapping in Canada. Plus, SIM swap attacks against high-profile targets, like Twitter CEO Jack Dorsey, have elevated the issue.

The most common way you’ll spot a SIM swap scam is if your phone suddenly loses service. Of course, there are other reasons why your phone might lose service, so one way to double-check is by logging into your carrier account and checking if the listed SIM card number matches the one on the card in your smartphone.

If the numbers are different, someone like swapped your SIM. Alternatively, if you have access to another phone, you can pop your SIM into it to check if it’s an issue with your phone. Some carriers may text users a warning before a number port takes place, but those can be unreliable (more on that later).

How SIM swapping works

At a basic level, SIM swaps start with an attacker initiating a number port. There are several ways to accomplish this, but typically, it requires the attacker to have enough basic information about the target to bypass carrier protections. If an attacker can successfully port a victim’s phone number to a SIM card they control, they can intercept incoming messages and calls.

Although that alone may be scary enough, what an attacker can do with that information is much more frightening. An attacker with a hijacked phone number may be able to log into any online account that uses the victim’s phone number as a method of authentication. You know those texts you get with a short code that you need to type in after logging into a website? Those now go to the attacker’s phone with your number.

If the attacker can gain access to a victim’s online accounts, that’s where they can do real damage. Getting into someone’s email account greatly expands access to other online accounts connected to that email. Similarly, many online banking websites rely on phone-based 2FA to authenticate users.

Moreover, SIM swapping is particularly difficult for people who only have one phone. I write from experience in this regard — last year, my wife was a victim of SIM swapping. At the time, she didn’t have access to another phone, so when her smartphone lost service, there was nothing she could do to stop the swap from happening.

To make matters worse, the SIM swap happened at around 11pm — by the time she was able to get another phone to call the carrier and stop the port, the call centre was closed. Thankfully the attacker wasn’t able to access any important accounts, and the following day she was able to have her carrier recover the number and re-activate her SIM card.

If you suspect your SIM has been swapped, you should start by calling your carrier. They should be able to prevent the port entirely, or reverse it if it already happened. You should also monitor your accounts for any signs of unauthorized access or other suspicious activity. Consider updating passwords for important services as well. Victims should also consider reporting the incident to the Canadian Anti-Fraud Centre.

How to protect yourself from SIM swapping

Unfortunately, there are fairly limited options when it comes to protecting yourself from SIM swapping attacks. Since most of these attacks start at the carrier, it’s up to them to protect customers. According to a report in 2020, Canadian carriers were not doing enough to protect customers. Worse, several carriers and the CRTC refused to share information on measures taken to prevent SIM swapping, claiming that revealing the information could help attackers.

That said, most carriers do offer some type of port protection. However, you’ll need to contact your carrier and request it for your account. Having a PIN for authenticating account changes with your carrier helps as well. If possible, avoid sharing personal data online, since attackers can use that information to convince carriers that they are the target, bypassing security and initiating a port.

Some carriers are more proactive about SIM swap. Telus flanker brand Public Mobile, for example, published a help article about SIM swapping. And, as mentioned above, some carriers send warn customers of number ports via text message, but these can be unreliable at best and completely unhelpful at worst. My wife received one of these warning messages moments before losing service. It had a phone number for her to call to stop the port, but — as mentioned above — she couldn’t call anyone without service thanks to the port.

Carriers aside, another great way to protect yourself is to avoid using phone-based 2FA. Emphasis on the phone-based, since other 2FA methods that use, for example, an app on your smartphone, don’t suffer from the same flaw as the ones that send you a text. You should check your online accounts — obviously, checking all of them may not be feasible, so prioritize your most important accounts like email and banking — and make sure they use app-based 2FA. If you need to, download a 2FA app (Google Authenticator, Microsoft Authenticator and Authy are just a few options).

Another way to protect yourself, although less to do with SIM swapping, is using a password manager. SIM swapping helps attackers bypass 2FA, but that means they still need your password since it’s a joint system. Using a password manager helps protect your accounts because it makes it much, much easier to use a unique, long and secure password for each account. Not only does that make it harder for someone to break into an account, it also prevents one compromised password from granting access to all your accounts.

SIM swapping is when an attacker switches a victim’s phone number to a SIM card they control

How to protect yourself from sim-swapping attacks

SIM swapping is one of several names for a type of scam or fraud that involves an attacker moving a victim’s cellular phone number to a SIM card they control.

Also called port-out scams, SIM swap scams or simjacking, these scams typically target online accounts that use two-factor authentication (2FA) methods that rely on phone numbers. Targets can be wide-ranging, including everything from online banking to social media accounts with coveted handles. Effectively, any online account that uses phone-based 2FA to authenticate users could be vulnerable.

SIM swapping happens frequently — in the last few years, there have been several examples of SIM swapping in Canada. Plus, SIM swap attacks against high-profile targets, like Twitter CEO Jack Dorsey, have elevated the issue.

The most common way you’ll spot a SIM swap scam is if your phone suddenly loses service. Of course, there are other reasons why your phone might lose service, so one way to double-check is by logging into your carrier account and checking if the listed SIM card number matches the one on the card in your smartphone.

If the numbers are different, someone like swapped your SIM. Alternatively, if you have access to another phone, you can pop your SIM into it to check if it’s an issue with your phone. Some carriers may text users a warning before a number port takes place, but those can be unreliable (more on that later).

How SIM swapping works

At a basic level, SIM swaps start with an attacker initiating a number port. There are several ways to accomplish this, but typically, it requires the attacker to have enough basic information about the target to bypass carrier protections. If an attacker can successfully port a victim’s phone number to a SIM card they control, they can intercept incoming messages and calls.

Although that alone may be scary enough, what an attacker can do with that information is much more frightening. An attacker with a hijacked phone number may be able to log into any online account that uses the victim’s phone number as a method of authentication. You know those texts you get with a short code that you need to type in after logging into a website? Those now go to the attacker’s phone with your number.

If the attacker can gain access to a victim’s online accounts, that’s where they can do real damage. Getting into someone’s email account greatly expands access to other online accounts connected to that email. Similarly, many online banking websites rely on phone-based 2FA to authenticate users.

Moreover, SIM swapping is particularly difficult for people who only have one phone. I write from experience in this regard — last year, my wife was a victim of SIM swapping. At the time, she didn’t have access to another phone, so when her smartphone lost service, there was nothing she could do to stop the swap from happening.

To make matters worse, the SIM swap happened at around 11pm — by the time she was able to get another phone to call the carrier and stop the port, the call centre was closed. Thankfully the attacker wasn’t able to access any important accounts, and the following day she was able to have her carrier recover the number and re-activate her SIM card.

If you suspect your SIM has been swapped, you should start by calling your carrier. They should be able to prevent the port entirely, or reverse it if it already happened. You should also monitor your accounts for any signs of unauthorized access or other suspicious activity. Consider updating passwords for important services as well. Victims should also consider reporting the incident to the Canadian Anti-Fraud Centre.

How to protect yourself from SIM swapping

Unfortunately, there are fairly limited options when it comes to protecting yourself from SIM swapping attacks. Since most of these attacks start at the carrier, it’s up to them to protect customers. According to a report in 2020, Canadian carriers were not doing enough to protect customers. Worse, several carriers and the CRTC refused to share information on measures taken to prevent SIM swapping, claiming that revealing the information could help attackers.

That said, most carriers do offer some type of port protection. However, you’ll need to contact your carrier and request it for your account. Having a PIN for authenticating account changes with your carrier helps as well. If possible, avoid sharing personal data online, since attackers can use that information to convince carriers that they are the target, bypassing security and initiating a port.

Some carriers are more proactive about SIM swap. Telus flanker brand Public Mobile, for example, published a help article about SIM swapping. And, as mentioned above, some carriers send warn customers of number ports via text message, but these can be unreliable at best and completely unhelpful at worst. My wife received one of these warning messages moments before losing service. It had a phone number for her to call to stop the port, but — as mentioned above — she couldn’t call anyone without service thanks to the port.

Carriers aside, another great way to protect yourself is to avoid using phone-based 2FA. Emphasis on the phone-based, since other 2FA methods that use, for example, an app on your smartphone, don’t suffer from the same flaw as the ones that send you a text. You should check your online accounts — obviously, checking all of them may not be feasible, so prioritize your most important accounts like email and banking — and make sure they use app-based 2FA. If you need to, download a 2FA app (Google Authenticator, Microsoft Authenticator and Authy are just a few options).

Another way to protect yourself, although less to do with SIM swapping, is using a password manager. SIM swapping helps attackers bypass 2FA, but that means they still need your password since it’s a joint system. Using a password manager helps protect your accounts because it makes it much, much easier to use a unique, long and secure password for each account. Not only does that make it harder for someone to break into an account, it also prevents one compromised password from granting access to all your accounts.

How to protect yourself from sim-swapping attacks

The U.S. Federal Trade Commission (FTC) issued guidance on how to protect yourself from SIM swapping attacks used by scammers to take control of your phone number, to bypass SMS-based multi-factor authentication (MFA) on your account, and steal your credentials.

SIM swapping (otherwise known as SIM hijacking, SIM splitting, or SIM jacking) is a type of account takeover (ATO) fraud through which attackers get control of a target’s phone numbers.

This is done by convincing their mobile phone service providers to swap the phone number to an attacker-controlled SIM card either with the help of a bribed employee or by using social engineering.

Scammers use one of the following three methods to conduct such an attack as Santa Clara County District Attorney’s office detective Caleb Tuttle told Brian Krebs:

“Armed with your login credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts,” the FTC says. “And they could change the passwords and lock you out of your accounts.”

SIM swapping defense

FTC lists the following measures you can take to protect against a SIM card swap attack:

Individuals that had their phone numbers stolen in a SIM swapping attack have to follow the following procedure to minimize the potential damages:

If the crooks have already taken control of one of your accounts or have already stolen some of your information including but not limited to Social Security, credit card, or bank account numbers, you need to head over to IdentityTheft.gov and follow the steps needed to protect yourself from identity theft.

The FTC also provides detailed info on how to keep personal information secure online and how to efficiently secure personal information on your phone.

FBI-issued SIM hijacking warning

The Federal Bureau of Investigation (FBI) also published a SIM swapping alert in March after observing an escalation in the number of SIM jacking attacks.

“The FBI has seen an increase in the use of SIM jacking by criminals to steal digital currency using information found on social media,” stated Special Agent in Charge John F. Bennett of the FBI San Francisco Division at the time.”

“This includes personally-identifying information or details about the victim’s digital currency accounts.”

Besides outlining the pattern used by the criminals to run SIM splitting attacks, the FBI also listed several measures to prevent becoming a victim, and the following steps to mitigate any harm and report the incident: